A cybersecurity incident is the worst time to discover that no one has clearly defined who makes the critical decisions. Yet that is precisely when many boards realize the gap exists. As a breach unfolds, regulators may be watching, and customer data may be at risk, organizations without clear decision rights do more than move slowly – they move in conflicting directions, wasting valuable time and eroding credibility when both are in shortest supply.
Jon Earl Murphy, a chief security risk executive and board adviser with more than 25 years helping organizations make clear decisions where technology, regulation, and business risk collide, has developed a precise framework for boards that want to govern cyber risk rather than react to it. “Cybersecurity is no longer just an IT issue,” Murphy states. “It is a whole-of-enterprise risk issue.”
Start With Business Questions, Not Technical Details
Boards that are pulled into technical language during a crisis – malware types, threat actor profiles, and specific system vulnerabilities – lose the ability to govern. Those details matter, but they belong with the teams handling them. The first questions a board should ask are business questions: ‘What is the operational impact?’ ‘Which customer data or services are affected?’ ‘Which regulatory obligations have been triggered?’ and ‘What decisions does management need from the board right now?’
That reframing changes the entire dynamic of a crisis response. When boards anchor on business impact, they can move faster and make clearer decisions because they are working within their actual domain of authority. Technical briefings should be designed to answer business questions, not to demonstrate the sophistication of the threat or the complexity of the response. The chief information security officer (CISO) who briefs a board effectively under pressure translates technical reality into business consequences. That skill becomes especially valuable when it matters most.
Separate Facts From Assumptions
Speed matters in a crisis. Speed without clarity creates more risk than it resolves. Murphy draws a distinction that should be standard practice in every board-level cyber briefing: what is confirmed, what is suspected, and what remains unknown. That discipline prevents both overreaction and underreaction, and the difference between the two can determine whether an organization’s response becomes a case study in effective governance or in avoidable escalation.
The contrast Murphy offers is concrete. “We believe data may have been accessed,” and “we have confirmed regulated customer data was exfiltrated” are not two versions of the same statement. They trigger entirely different legal obligations, communication strategies, and operational decisions. A board that does not insist on this separation will make decisions based on assumptions dressed up as facts and discover the error at the worst possible time.
Build Resilience Before the Crisis Arrives
The best board-level cybersecurity decisions happen before an incident. Tabletop exercises that test realistic scenarios, establish clear escalation paths, define decision rights for disclosure, address ransom demands, clarify law enforcement engagement, and prepare for third-party notifications are prerequisites for an effective response.
Murphy adds one insight that is often overlooked in governance: when pressure is highest, resist the urge to hover over the people fixing the problem. Responders do not need a ring of executives demanding constant situation reports. They need clarity, confidence, and space to work. Trust in the team is a force multiplier when the organization needs it most, and executives who crowd the response slow it down regardless of their intentions. The goal of board-level governance in a cyber crisis is not to manage the technical response. It is to protect the enterprise, support the people who handle it, and make the decisions only the board can make, with the clarity that preparation makes possible.
Follow Jon Earl Murphy on LinkedIn for more insights on cybersecurity governance, board-level risk decision-making, and building the organizational resilience that holds under pressure.
